Picked up xHelper 'matryoshka' trojan? Best to just nuke the site from orbit

An Android malware package likened to a Russian matryoshka nesting doll has security researchers raising the alarm, since it appears it's almost impossible to get rid of.

Known as xHelper, the malware has been spreading mainly in Russia, Europe, and Southwest Asia on Android 6 and 7 devices (which while old and out of date, make up around 15 per cent of the current user base) for the past year from unofficial app stores. Once on a gizmo, it opens a backdoor, allowing miscreants to spy on owners, steal their data, and cause mischief.

It has only recently been picked apart by Kaspersky Lab bods, and what makes the malware particularly nasty, the researchers say, is how it operates on multiple layers on the tablets and handsets it infects.

"The main feature of xHelper is entrenchment," explained Igor Golovin on Tuesday. "Once it gets into the phone, it somehow remains there even after the user deletes it and restores the factory settings."

When the malware is downloaded under the guise of a legit device "cleaning" app, it seems simple enough. A "dropper" trojan is pulled down from the internet, which collects device information and downloads and runs another trojan, which, in turn, downloads a set of exploit code that, when run, grants the malware root privileges on the device. This exploit code targets security vulnerabilities seemingly prevalent in Chinese-made Android 6 and 7 devices.

Each of these malware downloads, by the way, are nested within a succession of folders hidden further away from security tools to make them harder to spot.

More than a billion hopelessly vulnerable Android gizmos in the wild that no longer receive security updates – research

"Malicious files are stored sequentially in the app’s data folder, which other programs do not have access to," explained Golovin. "This matryoshka-style scheme allows the malware authors to obscure the trail and use malicious modules that are known to security solutions."

Armed with its powerful root privileges, the malware mounts the operating system partition with write access enabled – which isn't normally done – allowing the software nasty to copy itself there. The malware changes the code for the mount() function in the system's shared libc core library to prevent the user and apps from doing the same in the future to delete the malicious program, thus locking itself in and locking victims out.

This means it can make sure it runs from every system startup and is reinstalled from the system partition if the device is factory reset.

To make things worse, the malware downloads and installs more nasties and removes various bits of the system. Not surprisingly, Golovin says, this makes the infection nearly impossible to completely remove.

"Simply removing xHelper does not entirely disinfect the system," said the egghead. "The program com.diag.patches.vm8u, installed in the system partition, reinstalls xHelper and other malware at the first opportunity."

If you catch this malware, you can try to restore the vandalized libc in Android recovery mode, and then remount the system partition in write mode, and remove the malware yourself.

The best thing to do, though, is go a step further than a factory reset, and erase the flash memory completely, including the system partition, and put in a fresh clean copy. "If you have Recovery mode set up on your Android smartphone," said Golovin, "you can try to extract the libc.so file from the original firmware and replace the infected one with it, before removing all malware from the system partition. However, it’s simpler and more reliable to completely reflash the phone."

Even better advice is to avoid downloading any suspicious apps from the Google Play Store, just to be safe, and definitely don't use unauthorized third-party stores at all. ®